Shed - .Net Runtime Inspector

Shed is an application that allow to inspect the .NET runtime of a plan inward gild to extract useful information. It tin dismiss hold upward used to inspect malicious applications inward gild to convey a commencement full general overview of which information are stored i time that the malware is executed.
Shed is able to:
  • Inject a .NET Assembly inward a remote procedure (both managed in addition to un-managed)
  • Extract all objects stored inward the managed heap
  • Print strings stored inward memory
  • Save the snapshot of the heap inward a JSON format for post-processing
  • Dump all modules that are loaded inward memory

Using Shed
Shed is a command line tool. To display all available options run:
shed.exe --help

Inspecting an already running application
In gild to inspect an already running procedure yous convey to expire the pid to Shed. Example:
Shed.exe --pid 2356

Inspecting a binary
In gild to inspect a binary, Shed needs to execute it in addition to to attach to it inward gild to inspect the runtime. Example:
Shed.exe --exe malware.exe
You tin dismiss also specify the total of fourth dimension (in milliseconds) to await earlier to suspend the process. This volition allow the plan to convey the fourth dimension to initialize its properties. Example:
Shed.exe --timeout 2000 --exe malware.exe

Injecting an Assembly inward a remote process
With Shed is possible to inject a .NET Assembly inward a remote procedure cheers to the ManagedInjector Library. In gild to arrive at so, it is necessary to specify the pid of the procedure in addition to the exe to inject. Once that the Assembly is injected is possible to activate it yesteryear invoking a specific method. The rules to set the method are inherithed yesteryear the ManagedInjector projection in addition to are the following:
  • You must specify the total method elevate to invoke (eg. this.is.my.namespace.class.method)
  • You tin dismiss inject an executable that defines an EntryPoint method to execute (like a Console project)
  • You tin dismiss define a method amongst the next signatue: static void Inject()
For example, to inject the Assembly InjectedAssembly into the procedure amongst pid 1234, yous convey the move Shed amongst the next command:
shed.exe --pid 1234 --exe InjectedAssembly.dll --inject
With the --method choice yous tin dismiss specify a method, from InjectedAssembly.exe to invoke.
Find below an instance of execution:


Dumping options
By default Shed dump both the heap in addition to the modules. If yous desire exclusively i of that specify the --dump-heap choice to dump exclusively the objects inward the heap or the --dump-modules to dump exclusively the modules.
Dumping the heap tin dismiss create a lot of information which are non strictly useful for the analysis. You tin dismiss filter it yesteryear using ii files:
blacklist.txt this file contains the type names prefix that must non hold upward logged
whitelist.txt this file contains the type names prefix that must hold upward logged fifty-fifty if blacklisted
For example, if yous desire to filter all the System.IO namespace merely yous are interested inward logging System.IO.MemoryStream, yous tin dismiss add together the commencement value to blacklist.txt in addition to the minute i to whitelist.txt.

Examples
In the Examples folder yous volition honour 3 unlike projects that yous tin dismiss role inward gild to testify Shed. Example:
Shed.exe --exe ..\Examples\ConfigurationSample\ConfigurationSample.exe
When the analysis is completed, Shed volition impress where yous tin dismiss honour the result, equally shown below:
[+] Result saved to C:\Shed\Result\7800